Your message dated Thu, 28 Nov 2024 10:19:07 +0000
with message-id <[email protected]>
and subject line Bug#1066875: fixed in devscripts 2.24.5
has caused the Debian Bug report #1066875,
regarding debsign tries to parse gpg version from human-readable output, should
use machine-readable output
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1066875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066875
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: devscripts
Version: 2.23.7
Tags: patch
(this is also
https://salsa.debian.org/debian/devscripts/-/merge_requests/394)
debsign currently tries to determine the version of gpg by parsing the
human-readable output of `gpg --version`.
For use in scripts and other code, the GnuPG project prefers the use
of machine-readable output, and has offered `--with-colons
--list-config` for many versions (back at least to 1.3.5 according to
/usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a
lot of detail, including the actual version number:
cfg:version:2.2.40
This mode of output is what is used by libgpgme to determine the
version of gpg, so it is likely to remain stable and parseable.
The attached patch converts debsign to use the machine-parseable format,
rather than the human-readable format.
This issue came up when experimenting with sequoia-chameleon-gnupg,
which produces a human-readable string that doesn't match what debsign
was checking for.
(https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/61).
they're fixing that now in the chameleon upstream, but it seems like
debsign should be using the more robust approach anyway.
Thanks for maintaining devscripts!
--dkg
From 6bed35a535962534883a5aa233cbbcbfc7b15624 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <[email protected]>
Date: Thu, 14 Mar 2024 14:10:59 -0400
Subject: [PATCH] debsign: check gpg version with machine-parseable format
debsign currently tries to determine the version of gpg by parsin the
human-readable output of `gpg --version`.
For use in scripts and other code, the GnuPG project prefers the use
of machine-readable output, and has offered `--with-colons
--list-config` for many versions (back at least to 1.3.5 according to
/usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a
lot of detail, including the actual version number:
cfg:version:2.2.40
This mode of output is what is used by libgpgme to determine the
version of gpg, so it is likely to remain stable and parseable.
This change converts debsign to use the machine-parseable format,
rather than the human-readable format.
---
scripts/debsign.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 15b0dfc2..cc4d31ab 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -170,7 +170,7 @@ signfile() {
ASCII_SIGNED_FILE="${UNSIGNED_FILE}.asc"
(cat "$file" ; echo "") > "$UNSIGNED_FILE"
- gpgversion=$($signcommand --version | head -n 1 | cut -d' ' -f3)
+ gpgversion=$($signcommand --with-colons --list-config | awk -F: '/^cfg:version:/ { print $3; exit }')
gpgmajorversion=$(echo $gpgversion | cut -d. -f1)
gpgminorversion=$(echo $gpgversion | cut -d. -f2)
--
2.43.0
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: devscripts
Source-Version: 2.24.5
Done: Holger Levsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Nov 2024 10:30:12 +0100
Source: devscripts
Architecture: source
Version: 2.24.5
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Maintainers <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Closes: 1066875
Changes:
devscripts (2.24.5) unstable; urgency=medium
.
[ Jochen Sprickerhof ]
* debrebuild: move dscverify to debsnap.
.
[ Guillem Jover ]
* debsign: Remove compatibility code for ancient GnuPG. Closes: #1066875
Checksums-Sha1:
f77b3d8f7499af127b2fe5a9b90e02065ed78ba3 3375 devscripts_2.24.5.dsc
92312e5a2a40ed31f6c2a4e4f918d4adbe4e0c24 1020088 devscripts_2.24.5.tar.xz
d4dd2d9a2f78d73fa60c74436eeb44622b1586b1 18188
devscripts_2.24.5_source.buildinfo
Checksums-Sha256:
593b5cf82a5c227f635b756b2cf1dbd55e3040f98b4e235fbdac046105c56d12 3375
devscripts_2.24.5.dsc
4d7abb27cd3f3f5017dc001ec7371673ccfb52440b1ed24268334bb469941248 1020088
devscripts_2.24.5.tar.xz
b575617e57959ca41dbcddc109849d097474a8d1a064c3e937ac1b35c09b2247 18188
devscripts_2.24.5_source.buildinfo
Files:
d8115873dab0cf8784a7a7bffe0567ee 3375 devel optional devscripts_2.24.5.dsc
d68c2a106427f39a6c67f086bee57735 1020088 devel optional
devscripts_2.24.5.tar.xz
33ddfd24a6558cd0947ca3a2b062a2c4 18188 devel optional
devscripts_2.24.5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmdIQKAACgkQCRq4Vgaa
qhwrABAApQTrd4PGFRlXuVqYTm4VJfK3zpeUQMAELlxLgsxdxej3lncUViNW2J5U
+zDvbKP9XcsdBSHu6PrIJyVcCr3vfqq2+lufEa1SO3FOVYYTZIYsGuN9+vKlY+Lr
CMaJXx1tQVxE/bY21YB0iwd7kZdACqLbeGOAb8l4Ext/pS/ba2a1InouCyBACn3r
Nm9UNeaxl0LwbpmeiSzi8YQAR5yZkiPJZPHzyIxYk5dcqfnNrZfpIp++E5QIVhYR
CH7MQLwReFwaIe3CmogSqIlJIvgS97e0QRFWF1ssIUzoivkc80Htb8PGPUJvffTT
zUCRdhDOFzbKRahTizAdsL/CRAFQFy7XAYqdL/52JicRQpn1nKNsfNOHjUpF6aeI
w5RVS8NwIemqTdnHJfUmiiCzVulBkJMjxGMlteD8pwDXaRvwmYlxuc6wVaQLnXS1
7Zw4DbYmrkRsW/1tgES1KuQYYFki3+ocTh5iArh/a9GY272yu2PEbsjerRa8S5SC
b81Ad6cgC0yDwMso+A0DVXj7dBturrgP3gEyFk0NfMlYzXhko0cqens6uWUfGiIO
TQx7UPM9U+ytsaXr1wME6Q0iNoAH3YlQ7Tn0xGh0Ptu/p9zSz+TaW8b+xmQK5G9D
5/qkrKiUZjcgcsOt43LF1uHB1PbCKK2IhPV9aX8T80PKls17V+A=
=qRZR
-----END PGP SIGNATURE-----
pgpbsO8S2xxAx.pgp
Description: PGP signature
--- End Message ---
